Open navigation
Search
Search
All Expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Singapore
All Insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Cyber Space - Global cyber expectations for 2026: New laws, regulations and increased severity of incidents? Part 2

12 Mar 2026 International 8 min read

Introduction  

This is the second part of our horizon scanning piece prepared in tandem with our international colleagues to consider what developments and changes we may see in respect of cyber incidents over the next 12 months. 

Whilst Part 1 covered the UK and EU, Part 2 covers selected countries from the rest of the world. In this latter part, we also draw conclusions and identify the key considerations for those working in the cyber insurance market moving further into the coming year. 

1. Asia-Pacific

The Asia-Pacific (“APAC”) region has experienced a wave of enhanced cyber regulation in 2025 and 2026. Various APAC jurisdictions, including Singapore, Malaysia, and Vietnam, are each introducing significant legislative changes aimed at strengthening cyber resilience and accountability. We predict that these changes will potentially shape the cyber insurance industry in the following ways. 

Increased Uptake in Cyber Insurance

Legislative developments across APAC are likely to drive an increased uptake of cyber insurance, particularly among larger organisations and businesses operating in cross-border environments, who are more likely to be subject to new regulatory requirements. 

In particular, more organisations and business models are now subject to cybersecurity regulation, increasing regulatory exposure. For example:

  • In Singapore, amendments to the Cybersecurity Act 2018 empowers the Commissioner of Cybersecurity to designate a computer or computer system as a System of Temporary Cybersecurity Concern, which is effectively a time limited designation of a computer or computer system as critical information infrastructure and subjecting the owner to various compliance measures during the temporary designation. Please see here for further information on the recent amendments to Singapore’s Cybersecurity Act.
     
  • In Vietnam, the introduction of the Law on Data requires certain businesses providing intermediary data services and data analysis and aggregation services to obtain a certificate of eligibility, which requires (among other requirements) the business to be certified for information security and safety in accordance with legal regulations. Please see here for further information on Vietnam’s Law on Data.

These developments are likely to stimulate demand for cyber insurance from larger organisations as newly regulated organisations seek to manage increased regulatory and operational risk.

Broader Policy Scope and Coverage

Cybersecurity regulation increasingly targets business ecosystems. Owners, vendors, and service providers may face overlapping legal and regulatory exposure arising from a single cyber incident. As a result, insured parties are likely to seek broader policy wording to address cyber incidents affecting upstream or downstream entities and expansive regulatory penalties.

Emergence of New Cyber Insurance Products

As cybersecurity regulation in APAC expands to cover a wider range of entities and operational roles, insurers may look to develop new cyber insurance products tailored to newfound regulatory risk arising from such expansion.

2. Brazil

High Cyber-Attack Volume

Brazil is consistently among the countries most affected by cyber incidents. By late 2025, organisations in Brazil faced an estimated 2,800 attempted cyberattacks weekly, significantly above global averages. As the most targeted market in Latin America, Brazil accounts for a disproportionate share of regional cyber activity, including ransomware incidents.

High Exposure with Limited Risk Transfer

Brazil’s legal and regulatory framework has further increased the financial impact of cyber events. Data protection obligations under the LGPD (Lei Geral de Prote??o de Dados (the General Personal Data Protection Act)), together with potential enforcement by the ANPD (Ag?ncia Nacional de Prote??o de Dados (the National Data Protection Authority)), mean that cyber incidents now carry material legal and liability exposure and have caused a shift in management perspectives.

Although over 20 insurers are licensed to offer cyber insurance in Brazil, with broad coverage available, penetration remains low. Market surveys suggest that only about one quarter of Brazilian companies hold cyber insurance, leaving the majority to absorb cyber losses directly.

This gap between high exposure and limited risk transfer highlights a clear growth opportunity, as cyber insurance increasingly becomes a core element of enterprise risk management in Brazil.

3. Middle East and North Africa (“MENA”)

For context, this section was drafted prior to the commencement of the conflict involving the US, Israel, Iran and the wider region. Whilst the conflict may affect the potential scope for cyber incidents in this region, we anticipate that it will not alter the relevance of the issues considered below. The potential impacts will however be covered in a further article once more information about them is known.

(i) Saudi Arabia – Increasing PDPL Enforcement Activity

The Saudi data regulator, Saudi Data & AI Authority (“SDAIA”), has become significantly more responsive in enforcing the Saudi Personal Data Protection Law, reacting quickly to data subject complaints and initiating investigations at pace. Organisations are now receiving very short response timelines (often between one and five days) to address regulatory queries. With individuals becoming more aware of their rights, a rise in complaints is expected in 2026, alongside an uptick in investigations. To date no violation decisions or fines have been published by the Violations Committee, the body responsible for reviewing investigations and issuing enforcement decisions under the law, but 2026 may see the first public decisions as SDAIA’s enforcement posture continues to mature.

(ii) Dubai International Financial Centre (“DIFC”) – Full Enforcement of AI & Automated Processing Regulation

From January 2026, the DIFC will begin full enforcement of Regulation 10 of the Data Protection Regulations: its dedicated framework for autonomous and semi‑autonomous systems, including AI, generative models and machine‑learning technologies. The regulation introduces enhanced transparency requirements (such as documenting human‑defined purposes, design principles, system outputs and their intended uses) and mandates an Autonomous Systems Officer for high‑risk processing. It also establishes a formal certification scheme overseen by the Commissioner’s Office. This is the first regulation of its kind in the MEASA region and is expected to set a regional benchmark for AI governance.

(iii) Egypt – Executive Regulations Trigger 2026 Compliance Deadline

Egypt has issued the long‑awaited Executive Regulations to the Egypt Personal Data Protection Law, triggering a one‑year grace period that, on a strict reading, would expire by 31 October 2026. Although the regulations were published in the Official Gazette on 1 November 2025, they were only made publicly available on 25 December 2025, so it remains unclear whether the regulator will adopt a later compliance deadline. The regulations provide detailed requirements for the licensing and permitting regime for processing activities, including electronic marketing, sensitive data processing, and international transfers. They also clarify breach‑notification obligations: reporting to the regulator within 72 hours via the designated electronic portal or hotline, and notifying affected individuals within three days thereafter through agreed channels such as SMS, email or telephone. Organisations operating in or targeting Egypt will need to prepare for full compliance ahead of the 2026 deadline.

Conclusion and general considerations for insurers

Following the above and the issues considered in Part 1, we consider that brokers and insurers involved in international cyber should be aware of the following key points:

  • 2026 is likely to be a year of increased regulatory scrutiny across the globe as traditionally larger regulated companies face more stringent requirements as far as their cyber security is concerned.  In turn, these companies may be subject to increased incident notification obligations and potential enforcement measures.
     
  • It is possible that an increase in the number of regulatory investigations pursuant to new legislative measures could result in an increase in claims not only under typical cyber insurance policies but also D&O and/or PI policies. Insurers should be aware that the costs of those investigations are likely to be more significant in light of the more extensive and wider-ranging powers available to regulators across the globe.
     
  • It may be that implementation of the NIS-2 directive across various EU jurisdictions (and specifically setting a minimum threshold for cyber security) and other similar regulations globally will force regulated companies to “up their game” with respect to their cyber security. Underwriters may wish to reflect these increased thresholds in their own underwriting guidelines.

Cyber Space – More to come… 

This article is part of our Cyber Space series. These regular articles, produced for the cyber insurance market, are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across different jurisdictions. 

As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.

As well as those named, we are also grateful to the contributions from Dan Myers (UK), Sam Silver (UK), Andre Choo (Singapore), Sherman Poon (Singapore), Masha Ooijevaar (UAE) and Danilo Weiller Roque (Brazil).

More insights
Insurance TMT - Technology, Media & Telecommunications Crypto, FinTech & Digital Assets

Explore more

Event Singapore

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

Insurance law and regulation in Singapore

9 min read
Publication Singapore

CMS toolkit series

02 Jul 2025 1 min read
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more.
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. LawNow have moved to CMS.law. LEXplicite have moved to CMS.law. Blogtt have moved to CMS.law.
Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.